Privacy Policy

About Episurf Medical AB and this privacy policy

Processing of your personal data

Episurf Medical AB, Reg. No. 556767-0541 and its group companies, Karlavägen 60, SE-114 49 Stockholm, Sweden (the “Company” or “we”) takes all necessary measures to make sure that personal data concerning our patients, our external partners, visitors of our website and other persons whose personal data may be subject to processing by the Company is being processed by us in a lawfully, fairly and transparent manner.

When you use our various services, we collect your personal data. The Company is consequently the data controller of your personal data and processes it in accordance with this privacy policy. This privacy policy explains and clarifies your rights in relation to the Company regarding the processing of your personal data and how you can exercise those rights.

The Company is committed to protecting your personal data and it is important to the Company to ensure that your personal data is being processed in a secure way. We comply with all applicable laws and rules that exist to protect the privacy of individuals, including the Swedish Personal Data Act (1998:204), the Swedish Act on Electronic Communication (2003:389) and such other laws or regulation that implements the EU Data Protection Directive 95/46/EC, the Electronic Communications Directive 2002/58/EC and the EU General Data Protection Regulation 2016/679 (GDPR) and any changes to, amendments to or regulations that replace such laws and regulations. We use appropriate technical and organizational measures with respect to the amount and sensitivity of personal data.

It is important that you read and understand this privacy policy before you use any of the Company’s services. You should not use any of our services if you do not approve of this privacy policy. Some pages on our website contains links to third party websites. These websites have their own privacy policies and the Company is not responsible for their operations or their information policies. Any user who sends information to or through these third-party websites should hence review the privacy policies posted on those websites before any personal data is transferred to them.

For information on the collection, handling and storage of information obtained through cookies, see the “Cookies” section below.

What personal data do we collect and where from?

If you are a potential patient to receive any of the Company’s products, surgeon who use products by the Company, subscribe to the Company’s press releases, contact us through the Company’s website or otherwise use our services, you may provide information to us that is considered personal data under applicable data protection laws.

The types of personal data that we collect may, depending on the context, include:

name and contact information including address, mobile number and e-mail address;

personal identity number;

different kind of demographic information e.g. age and gender;

information about preferences and interests based on the use of the Company’s websites;

other user-generated information that you actively choose to share through our websites;

Information pertaining to patients such as MRI data and post surgical pain perception scores to allow us to carry out our customisation and patient follow up activities and fulfill our regulatory responsibilities. Episurf acknowledges that certain patient protected health information is received from the responsible surgeon; and

Data concerning health or medical care.

We may collect your personal data from the following sources:

any of the Company’s websites, e.g. when you subscribe to any of our newsletters, or contact us by email;

by means of forms and examination when surgeons are using our products; and

the ordering system, developed by the Company. The system will safeguard all the information logistics to the concerned parties, called µiFidelity. The µiFidelity system is divided into modules; each requiring a unique username and password. The modules have restricted access to the patient information.The µiClinic module is intended to be used by the surgeon, and has a unique access to his or her patient identification that no other module has. There, the surgeon can easily correlate the unique patient identifier to the actual patient identity, as well as take part of the designs provided by the Company prior to manufacturing.

Why do we process your personal data?

If you are a potential patient to receive any of the Company’s products, we process your personal information in order to evaluate whether our products can help you. As a result, we process your personal data for the purpose of carrying out the study and/or evaluate your injury.

The Company will only collect data that is necessary in order to develop and manufacture the Episealer implant and its accompanying surgical instruments. All of the Company’s employees are trained to handle patient sensitive information in line with the Company’s patient confidentiality policy as summarised says:

Access to sensitive data will only be given to employees on a need-to-know basis to perform their work

Everyone who is given access to the data must be trained in the necessary security measures and responsibility this implies

Data shall as far as possible be anonymised

Medical images received by the Company are anonymised upon receipt and replaced with a unique identifier assigned to every case. The identifier is used throughout the Company’s processes, and only the operating surgeon has the ability to link the identifier to the actual patient identity. Sensitive data is stored on a dedicated secure place with restricted and controlled access, using modern encryption standards.

In addition to processing your personal data in connection with patient follow-up to meet our regulatory responsibilities and evaluation of your injury, the Company may use your personal data for other purposes, based on other legal grounds, as set out below.

Legitimate interest: In order to be able to provide, carry out and improve our commitments and services, it is necessary for us to process personal data in some other cases as well, e.g. when analyzing visits on our website for statistical purposes.

In the event that a service that we provide requires your consent, we will always explicitly ask you to give your consent to such a service and to the processing of your personal data in such a case. For example, we will ask for your consent if you would like to subscribe to any of the Company’s press releases.

Retention of personal data

The Company takes all reasonable steps to ensure that your personal data is processed and stored securely. Your personal data will never be stored longer than permitted by applicable law or longer than necessary to fulfil the above stated purposes. Your personal data will be processed by us during the following time periods.

Subscriber: If you have subscribed to the Company’s press releases or if you have registered for any of the Company’s digital services your personal data is saved until you unsubscribe from our services. This does not apply if we need to save your personal data for a longer period of time due to any of the reasons stated below.

Performance of a contact: Personal data (name, personal identity number, address, telephone number, e-mail, billing and delivery information) which is submitted to the Company in connection with your surgery is stored for as long as necessary in order for the Company to comply with statutory requirements.

Consent: In cases where we process your personal data based on your consent, we will only save your personal data for as long as we still have your consent.

Transfer of personal data

We do not sell the personal data to anyone else. We only transfer personal data as described below. We always observe great caution when transferring your personal data and your personal data is only transferred in accordance with this privacy policy and after taking appropriate security measures.

Partners outside the group of companies that the Company belongs to: Our partners, i.e. companies outside the group of companies that the Company belongs to and which are approved by the Company, may get access to your personal data for the purpose of helping the companies production and development.

Business transactions: if all or parts of the Company’s operations is sold or integrated with any other business, operation or company, your personal data may be disclosed to our advisors, potential buyers and their advisors, and be transferred to the new owners of the operation.

Legal obligations: Your personal data may also be disclosed for the purpose of the Company’s compliance with certain legal obligations and it may be transferred to the Police and other relevant public authorities when permitted and required by law.

The type of transfers mentioned above may only be carried out to companies within the EU or EEA (i.e. all EU members states and Iceland, Norway and Lichtenstein).

Withdrawal of consent

In the event that we process your personal data based on your consent, e.g. regarding subscription to newsletters, you may withdraw your consent at any time by contacting info@episurf.com as stated below. Such withdrawal may be made in whole or in part. If you do not wish to receive press releases from us you may withdraw your consent by contacting info@episurf.com. If you withdraw your consent with respect to the use of disclosure of your personal data for other purposes stated in this privacy policy, we may no longer be able to continue to gibe you access to our websites or provide customer service or other services being offered to our users and permitted under this privacy policy.

Your rights

You have the rights to request information about what personal data concerning you that we are processing and how it is being used by contacting us in writing (see contact details below). You are also entitled to request correction of incorrect, incomplete or ambiguous personal data concerning you by contacting us. For the protection or your privacy and your personal data, we may require that you identify yourself in connection with our assistance.

In accordance with applicable data protection laws, you also have the right to request that your personal data be erased or that the processing of your personal data be restricted. In certain situations, you also have the right to object to the processing of your personal data and request that your personal data be transmitted in an electronic format.

You may file a complaint with the Swedish Data Protection Authority (sw. Datainspektionen) if you believe that the Company’s processing of your personal data is not carried out in accordance with applicable laws.

Cookies

The Company uses so-called cookies on our websites. A cookie is a small text file sent from a website to your web browser. The cookie cannot identify you personally, but only the web browser that is installed on your computer and the web browser you use when visiting the webpage. Consequently, different cookies are saved on different computers, should you use different computers when visiting our website. Cookies do not carry viruses and cannot destroy any other information stored on your computer.

Cookies are usually categorized based on their origin and based on whether they are stored in your web browser or not. Cookies can either be sent to you from the website you visit (i.e. first-party cookie) or from another organisation that delivers services to the current website, such as an analysts and statistical company (i.e. third-party cookies). Cookies can also be divided into session cookies and permanent cookies. A session cookie is sent to your computer so that the webpages can function properly during your visit and is not stored on your computer but is erased when you close down you web browser. The function of a session cookie is for example that it is activated when you return to a previously visited part of the website and thus facilitates your navigation on the website. A permanent cookie, on the other hand, is stored in your web browser and thus allows a web page to recognize your computer’s IP address even if you turn of your computer or log out between visits.

The company uses both session cookies and permanent cookies on our website.

Most web browsers have a default setting that accepts the use of cookies. You can easily refrain from allowing the Company’s websites to store cookies on your computer with a setting in your web browser, including blocking cookies or erasing any cookies stored on your computer. How you erase or change the settings for cookies is stated in the instructions to your web browser or in the utility function that usually is available in the web browser.

Changes to privacy policy

Please note that the terms of the privacy policy may be changed or amended. Any new version will be published on the Company’s website. Consequently, you should review these terms on a regular basis to make sure that you are satisfied with the changes. In case of any material changes we will however, e-mail you, if you have given us your e-mail address, to make you aware of any changes made.

If the changes concern processing of personal data that we carry out based on your consent, we will give you the opportunity to once again give your consent to the processing on the new terms.

Contact us

If you have any questions related to this privacy policy, if you suspect that a breach of this privacy policy has occurred, or if you would like to contact us for any reason stated in this privacy policy, please contact us on the contact details provided below.